In previous posts we covered risk: what it is, how to assess it, and how to respond to it. Mitigation, one of the four risk responses, is where controls live. A control is any mechanism that reduces the likelihood or impact of a risk materializing. But not all controls do the same thing, and understanding the difference matters when you’re deciding where and how to deploy them.
Types of Controls
Controls fall into five categories based on what they do when a threat is present. Each one addresses a different phase of an attack or incident.
Directive
Policies, procedures, and guidelines that tell people what to do and what not to do. Acceptable use policies, security awareness training, and access control standards are all directive controls. They set expectations before anything happens.
Preventative
Controls that stop a threat from being realized in the first place. Firewalls, MFA, encryption, and network segmentation are preventative. The goal is to block the attack before it succeeds.
Detective
Controls that identify when something has gone wrong. Log monitoring, intrusion detection systems, and audit trails are detective controls. They don’t stop the attack — they tell you it happened and give you something to investigate.
Corrective
Controls that restore systems and operations after an incident. Backups, incident response procedures, and patch management fall here. The goal is to minimize the duration and scope of impact.
Compensating
Alternative controls deployed when a primary control isn’t feasible. If a system can’t support MFA, a compensating control might be network isolation combined with enhanced logging. Compensating controls don’t replace the missing control — they reduce the risk created by its absence. They require documentation and periodic review to ensure they remain adequate.
The Complete Control
Wherever you place a control, the goal is to have all three of these present: preventative, detective, and corrective. Together they form what’s called a complete control. Each one addresses a different phase — before, during, and after — and the absence of any one creates a gap.
A network segment with a firewall but no logging and no recovery plan has a preventative control with nothing behind it. If the firewall is bypassed, you won’t know until the damage is done and you’ll have no structured way to recover. A complete control addresses what happens before, during, and after the threat materializes.
Directive controls are often overlooked because they’re not technical. But a firewall nobody is authorized to modify, a logging system nobody is required to review, and a backup nobody is responsible for testing are all incomplete controls. The directive layer is what gives the technical controls operational meaning.
Controls and Asset Value
The controls you deploy and the depth of coverage you provide should be proportional to the value of the asset being protected. This ties back directly to the risk framework from the previous post: impact is one of the three factors in the risk equation, and impact is a function of what you’re protecting.
A database containing personally identifiable information, financial records, or protected health data warrants a more comprehensive set of controls than a staging environment with no sensitive data. Both might need preventative, detective, and corrective controls — but the depth, redundancy, and rigor of those controls should reflect the criticality of the asset.
Applying the same control depth uniformly across all assets is a resource allocation problem. Security budgets are finite. Concentrating controls where the impact of failure is the correct approach.
A single strong control is not a security posture. Defense in depth means layering controls so that the failure of one doesn’t result in a complete compromise. When designing control placement, ask what happens if each control fails independently — and make sure the answer isn’t “everything else falls apart.”
So far we have covered understanding your network to governing it, identifying threats, managing risk, and deploying controls. The technical and organizational pieces don’t work in isolation, rather each one depends on the others. A control deployed without governance behind it can’t be enforced. A risk assessment without threat identification misses the full picture. And none of it matters if the security program doesn’t have the organizational authority to act on what it finds.
